Hi Matt,
The "Manage Credit Card"/"Edit Credit Card Information" page demonstrates the Credit Card Validation Code (aka CVV2, CVC2, CID, CAV2 data) is being saved potentially in non-volatile storage.
Please read Requirement 1.1.2 of: https://www.pcisecuritystandards.org/pdfs/pci_pabp_to_pa-dss_transition_v1.pdf
For the security of everyones credit card, a merchant must not store this value. To be effective, the CCV must remain a "shared secret" between the cardholder and the credit card company (not the merchant in-between.)
Matt, speak with your credit card processor to setup some subscription charge agreement that uses the value initially, and does not store/save the CCV.
Because, the worst case scenario (exposing the CCVs and other credit card information) is a significant customer trust issue and business risk.
Regards,
–Mike
It would be much better, if C2 did not handle customer financial information. As C2 is effectively a one person company, the security things like this fall on C2’s head. There are too many cases where tens of millions of customers’ data was hacked or otherwise compromised, even for large retailers.
Many legitimate small businesses use something like PayPal or Google’s payment provider or other online providers. Generally, I don’t even do business with websites that handle the credit cark or bank account themselves. There is too much security, hacking and other things going on. PayPal type companies are equipped to handle this.
At minimum, you could offer a moneybookers, paypal or other service for people uncomfortable with revealing their card information to C2. I suspect it costs a least a few C2 sales for the hack-a-phobic people.
